Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Will The Next Slammer Strike?

Posted by timothy on from the not-to-pick-on-anyone dept.

scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."

33 of 408 comments (clear)

  1. Could someone explain... by zerosignal · · Score: 5, Interesting

    ...why ATMs were affected? I've seen this mentioned in a few articles but I didn't think banks would use the Internet to connect ATMs on their systems.

    1. Re:Could someone explain... by Anonymous Coward · · Score: 5, Informative

      ATMs are not connected to the internet, but to the bank's private network, which, yes, runs over TCP/IP. So a computer that got infected and had access to the internal network would be enough to crash those reachable ATMs.

      Brett Glass : http://www.brettglass.com

    2. Re:Could someone explain... by MoTec · · Score: 5, Informative

      Many ATMs use a phone line to connect to the network to run the transaction so if the phone lines are down so is the ATM. Some use leased lines or other communication technologies but a POTS line does the job and is often cheapest.

    3. Re:Could someone explain... by DJayC · · Score: 5, Insightful

      It is unclear in the article if they mean ATM as in bank ATM's, or ATM as in asynchronous transfer mode networks. I'm sure the author doesn't even know in which context ATM is used.

      Just a thought *shrugs*

    4. Re:Could someone explain... by LostCluster · · Score: 4, Informative

      Just because something isn't technically on the Internet, doesn't mean it is on a completely walled-off pipe.

      Many stand-alone ATM structures use a satellite connection from Hughes Network Systems to securely connect to their company's network. But that's the same Hughes Network Systems birds that power DirecWay and DirecPC consumer services. So, if for some reason there was a sudden surge in Internet traffic (such as a worm randomly trying to infect IP addresses without caring whether or not there is a machine capable of being infected on the other end) the ATM might not be able to get enough satellite time to complete a transaction without timing out, therefore resulting a "lost my connection" message on the ATM.

      Think of it as a VPN tunnel over a network that is used partly for Internet, and partly for other things... if the Internet goes crazy, it affects those other things too.

    5. Re:Could someone explain... by ergo98 · · Score: 4, Informative

      My presumption is that they were running ATM VPN traffic over standard IP connections (basically like running an ADSL line to the site). This would affect anyone who is running a system critical service over the shared internet.

      Having said that, if they were affected then it demonstrates really poor planning: Any critical service should have QoS guarantees by their provider (which should have peer QoS guarantees, and so on), so if the ATM requires a minimum of x bandwidth, then the provider will guarantee that all other traffic will be throttled to accommodate it, building more bandwidth (fibre, etc) if they cannot accommodate all of their QoS guarantees at once. It most certainly seems ridiculous to even ponder things like 911 going down because of something like this.

      Let me put it another way: Many telcos share the same data lines for both voice traffic (long distance calls, etc), and Internet IP traffic: Internet traffic cannot take up so much bandwidth that it impedes the voice data, as the telco will always throttle it accordingly to ensure that voice always gets through with 100% throughput. These same sorts of guarantees hold true (or should hold true) for all other system critical type services, and it is brutal irresponsibility to do anything else. When some kid with a ping program can take down your system then it points out a pretty big flaw.

    6. Re:Could someone explain... by Anonymous Coward · · Score: 5, Insightful

      My assumption was that they were talking about ATM (Asynchronous Transfer Mode). Many ATM networks were significantly hurt by this because routers and switches that utilize SVCs kept building and rebuilding circuits.

      The whole point of this problem can be simplified to bad code and bad base installs. I keep hearing people say it's not MS's problem. I work with a wide variety of products in the networking (L2 & L3+ WAN) and systems world. Any one of the vendors that I deal with would lose serious market share if their products were found to be vunerable to something like this and they simply patched it but didn't change the base install to be "secure".

      Let's start by taking an example of a comparable product -- postgreSQL. We all know that a recent patch to this product fixed a possible remote exploit. Certainly the bug shouldn't have been there and it was something that should be patched. However, the point is that the postgreSQL base install doesn't even allow remote connections. In fact, the config file tells you that without remote connections allowed, it's still probably an liberal configuration that should be locked down more.

      I'll buy that MS has a large market share and that occasionally something will get through the normal protections; however, the base installs should be locked down. Why aren't they? It's a question that is very simple to answer.

      MS sold the Internet community a grand story. In this story, running a server is a simple task that anyone can do. For this story to be believed, they have to have the base install do everything out of the box without any special configuration which might require a real administrator, dba, network design specialist, etc. If the products were actually locked down like they should be (like most of the competing products are), MS would have a bigger job in support calls because 80% of the non-administrators that work with MS platforms would be ill-equiped to handle the proper configuration of the server to get it to work.

      I have a product that I use on linux that was written with this kind of security in mind. The config file is riddled with lines like: die "you didn't go through your config file!". If you don't completely configure the product, it keeps dying on startup. This is how products should be released--locked down and set to die if the configuration is not explicitly setup by the admin with them being aware of the dangers to each option they set back on.

      I also hear a lot of people complaining that people didn't install the patches, I again go to the point of the base install. If the product's base install were locked down, far less databases would have been open even if they were unpatched. Seriously, let's be reasonable, why should an SQL server open ports by default to anything except maybe 127.0.0.1. Many databases now only need one or two subnets open anyway since their database interaction goes on with an application server (often a web server) which serves as the db client for the users anyway and quite a few databases on the lower end systems (where most of the sysadmins who don't know how to lock things down are) reside on the same box as the app services.

    7. Re:Could someone explain... by JediTrainer · · Score: 5, Informative

      Yes. ATMs as in bank ATMs. Cash machines.

      I don't know about most people, but the outage affected customers of CIBC Bank in Canada, who couldn't withdraw their cash from many machines throughout Ontario (the news said Toronto only, but it affected some of my family and friends in other areas too).

      Being a customer of a different bank (TD Canada Trust), I was not affected.

      --

      You can accomplish anything you set your mind to. The impossible just takes a little longer.
  2. This is nothing yet by Scarblac · · Score: 5, Interesting

    The scariest thing is actually that this kind of damage is being done by a worm that doesn't actually do anything except spread itself (as far as I know, anyway).

    Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)

    --
    I believe posters are recognized by their sig. So I made one.
    1. Re:This is nothing yet by travail_jgd · · Score: 4, Insightful
      Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)

      I would think that damage would be worse if the worm just sat quietly for a few weeks (or even months), slowly corrupting data in the database. At that point, backups may not be usable; at some point either the last backup media has been recycled, or new entries to the database would be too expensive to re-enter.

      A "stealth" worm, whose primary focus is remaining undetected rather than consuming huge amounts of resources would be a lot more devastating than an obvious one.
  3. When Will The Next Slammer Strike? by ksheka · · Score: 5, Funny

    When is the next Microsoft product being released?

    --
    alias uptime="echo '5:33pm up 22342352324 days, 6:28, 2124315623 users, load average: 2432.40, 12312.31, 123123.19'"
  4. Two ways of "solving" this problem . . . by aaronhurd · · Score: 5, Insightful

    In my opinion, there are two ways that people will react to the problem of exploits in computer software:

    In the short term, I expect that the most recent attack will provide a huge sales boost to pre-packaged "security solutions" like firewalls, virus protection, etc. and will probably be used as an extra card that the government can play when arguing for implementing a comprehensive Internet monitoring system. Of course, both of these things are unfortunate, as neither one promotes security and the latter gives the government way too much power . . .

    Long term, the best protection against exploits in computer software is a shift in attitude about where software companies should place their priorities. At present, it is more lucrative for companies to push a piece of software out the door and sell upgrades than to spend extra time developing secure software. Only a strong fiscal mandate from corporate customers will change the way software companies do business . . . and I hope that mandate comes soon.

  5. Re:Government Funding of Security/Virus Prevention by damiam · · Score: 5, Informative
    I think we ought to make virus-protection code public

    It is.

    who can't afford 50 bucks on a virus scanner or decent firewall software

    Then don't pay 50 bucks.

    I saw Nimda infections up until the end of last year

    Norton and McAfee both provided free available Nimda removal tools. Besides, if you can afford IIS, you can afford a virus scanner.

    --
    It's hard to be religious when certain people are never incinerated by bolts of lightning.
  6. Re:Government Funding of Security/Virus Prevention by matth · · Score: 4, Informative

    It *is* free http://www.grisoft.com (AVG)

  7. Analysis of the Slammer/Sapphire worm by Istealmymusic · · Score: 5, Informative
    This was posted on BugTraq:
    From: "Nicholas Weaver"
    Date: Fri, 31 Jan 2003 6:09 PM
    To: bugtraq@securityfocus.com
    Subject: The Spread of the Sapphire/Slammer SQL Worm
    We have completed our preliminary analysis of the spread of the Sapphire/Slammer SQL worm. This worm required roughly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.

    This remarkable speed, nearly two orders of magnitude faster than Code Red, was the result of a bandwidth-limited scanner. Since Sapphire didn't need to wait for responses, each copy could scan at the maximum rate that the processor and network bandwidth could support.

    There were also two noteworthy bugs in the pseudo-random number generator which complicated our analysis and limited our ability to estimate the total infection but did not slow the spread of the worm.

    The full analysis is available at

    David Moore, CAIDA & UCSD CSE
    Vern Paxson, ICIR & LBNL
    Stefan Savage, UCSD CSE
    Colleen Shannon, CAIDA
    Stuart Staniford, Silicon Defense
    Nicholas Weaver, Silicon Defense and UC
    Berkeley EECS

    A must read for anyone who wants to know about this worm. Its impact was huge--90% infection of all vulnerable hosts in 10 minutes . Even some E911 systems were knocked out. The internet routers at large were saturated with 120ms latency. Twice the speed of Code Red. All this with a simple PRNG scanning algorithm.
    --
    "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
  8. Re:Government Funding of Security/Virus Prevention by MadocGwyn · · Score: 4, Informative

    There are some companies that offer free services.

    <LI>http://housecall.trendmicro.com<LI&gt ;

    Free Java Based scanner, works well I've used it many times when I'm out fixing someones computer and they dont have a decent scanner.

    --
    Jesus saves, everyone else takes full damage from the fireball.
  9. Microsoft products aren't for internet use by bkontr · · Score: 5, Insightful

    MS products are too buggy for the internet. Even when MS comes out with patches sysadmins are extremely reluctant to apply them (even at Microsoft) in fear that the patch will cause more problems (ie BSOD) than it fixes. Remember Microsoft got hit by Slammer hard because it didn't install its own patches. Was Microsoft waiting for customers to beta test thier software before they even tried it themselves??? Plus the MS SQL server is not the only MS product that Slammer can infect......when are people going to hold Microsoft accountable for its lack of security and general poor coding??

    --


    "You helped our nation celebrate its bicentennial in 17 -- 1976." --George W. Bush, to Queen Elizabeth, Wash
  10. Scary stuff, kids by Saint+Aardvark · · Score: 4, Interesting
    Posted to Bugtraq yesterday was a quick summary of a study of the Slammer worm and its effects. Quote:

    This worm required rougly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.

    I read that and my jaw just dropped.

    This worm, from what I've read (these aren't my conclusions; I'm not that smart), did two very interesting things. The first is that it used one UDP to spread: no waiting around for the three-way TCP handshake, no hanging waiting for a reply, just send and move on to the next one. From what I understand, that's pretty new. Second, it caused most of its damage not by trashing filesystems or anything like that, but just by spewing *huge* amounts of traffic.

    The first is interesting because as a tactic, it'll almost certainly be copied. The second is interesting because it probably won't be copied.

    Well worth your time; it's fascinating -- and frightening -- reading. Get it here:

    http://www.caida.org/analysis/security/sapphire

    --
    Carousel is a lie!
  11. Likelihoods by Neophytus · · Score: 4, Insightful

    Likelihood there will be another one: very high
    Likelihood that it will affect a Microsoft product: pretty high
    Likelihood that it will exploit a flaw that was fixed the summer before: almost certain

    As far as i'm concerned those with low maintenence co-located servers should pay more attention to security bulletins so that when when a major patch does come out they can fix it, then when something does hit their several-year-old computer it won't be thrashed to death by modern worms.

  12. Time to hold M$ Accountable. by BigBlockMopar · · Score: 5, Insightful

    The same MS that didn't apply their *own* patches ?!?

    The problem that I have is, even though I don't run any Microsoft software, their incompetence keeps on screwing me around and costing me productivity.

    I get hundreds of e-mail virii per day, owning partially to incompetent users, but also partially to incompetent Outlook programmers.

    At the height of Code Red, I was getting hundreds of hits per day to my webserver.

    That last worm effectively shut down portions of the Internet.

    Now, here's the problem. If I'm driving down the road, and a Hyundai's brakes fail and cause it to run a red light and plow into the side of me, it'll piss me off, but it's a quirk, and shit happens.

    If, every couple of months, a Hyundai's brakes fail and I get hit, pretty soon, I'll start to get very pissed off, not just with the idiots who drive Hyundais, but also with Hyundai itself.

    This has gotten to be utterly ridiculous. We have to find some way of holding Microsoft accountable for their fucking ineptitude.

    --
    Fire and Meat. Yummy.
    1. Re:Time to hold M$ Accountable. by ejaw5 · · Score: 4, Insightful

      That's a great analogy..I'll add this though:
      Investigations from the NTSB and all will force Hyundai to recall all their affected cars and fix the brake problem. Don't expect such actions against Microsoft.

      --

      $cat /dev/random > Sig
  13. Re:If they catch the guy... by rjh · · Score: 4, Funny

    What the hell, I got karma to burn. :)

    Not just let's throw him in the Slammer. Let's throw him in Federal Pound-Me-In-The-Ass prison [*] with a cellmate who's affectionately known as... the Slammer.

    "So, Mr. Worm Writer, are you enjoying your cellmate's one-eyed worm?"

    [*] ... thank you, Office Space

  14. Regulation by kahei · · Score: 4, Insightful


    Thing is, we're dealing with an industry (the IT industry) that does not have the safely regulations and standards common in older sectors. There is no standard saying what steps must be taken to prevent your own systems damaging others, and no regulatory body to enforce compliance. Worms like this are creating a pressure to bring IT into line with the more, hm, predictable business areas.

    Over time, IT, like other industries, will move toward public safety standards such as we see in transport, manufacturing, finance, and all those *boring* businesses. It's a necessary part of the evolution of this industry from backrooms to ubiquity, I guess.

    In 20 years time we'll probably see the government fining companies that don't patch their servers to a certain standard, just like we see airports and tire makers being fined now.

    This just reinforces what I've been thinking for a while now... time to move away from IT iself and into IT law/management/business...

    --
    Whence? Hence. Whither? Thither.
  15. But the weekend is the best time for a worm by mr_exit · · Score: 4, Interesting

    I thought the whole reason worm writers release their creations in the weekend is so they have the best chance to spread before systadmins wake up and realise what is happening.

    If it WAS let out during business hours, whould it have gotten so far? would it have caused much dammage at all?

    --

    -------
    Drink Coffee - Do Stupid Things Faster And With More Energy!
  16. Re:Government Funding of Security/Virus Prevention by Blkdeath · · Score: 4, Insightful
    Public source code for software that is designed to protect isn't a great idea IMO. Would you want your home security system, complete with sensor locations, schematics, etc. posted in a book on your front porch?

    Have I stepped out of Slashdot and into some kind of paralell universe where open source doesn't exist?

    The schematics for my firewall and all public daemons ARE available, some of them even "at my front door".

    Publicly available anti-virus and firewall software would be great (source code witheld), but then you run into the same problem MS has. Huge user base = greater draw to those looking to undermine the software = more security issues.

    So there are twice as many Apache vulnerabilities as IIS vulnerabilities? And don't give me that "there are more Windows users ... " excuse. If you want to affect the WWW at large, you attack that which comprises more than half the entire WWW, that being Apache. Were your logic correct, there would be a plethora of Apache vulnerabilities. The fact remains that a quality codebase, rather than a small userbase, defines the relative security of a product.

    Nice troll, though. It looked really sincere.

    --
    BD Phone Home!

    Shameless plug. Like you weren't expecting it.

  17. patches and rips by urbazewski · · Score: 4, Interesting
    Okay, this is a bit offtopic, but I've been scanning the comments on various stories about the Slammer virus and have noticed that, according to many many posters, security patches can introduce new bugs in the software that cause it to behave erratically.

    My offtopic question is: why doesn't this happen with Linux ? (or does it happen with Linux?)

    I don't use Linux and I'm not a bonafide geek (I've never had 'root' access, which seems to be one of the key requirements --- that may change now that I use Mac OS X), and I've always wondered why using fixes, new functions, patches, whatever, written by numerous different people hasn't turned Linux or other open source into a non-functioning morass of code. I read Eric Raymond's The Cathedral & the Bazaar but I didn't really feel like he answered the question, other than refering to the gospel of Linus "with enough eyes, any bug is shallow."

    Isn't an operating system more complicated (or at least more fundamental) than an application? Why doesn't (or how often) does fixing one bug in Linux create two new ones?

    blog-O-rama

    --
    foldplay your photos won't know what hit them.
    1. Re:patches and rips by StormReaver · · Score: 4, Insightful

      There are several reasons why Linux is not so adversely affected by security patches:

      1) Linux the kernel is distinctly independent from the applications that it runs and from the vast majority of device drivers that it hosts. This is most likely the single most important factor. For example, fixing Apache does not require tampering with the kernel, which is turn does not require tampering with the web browser, which in turn does not require tampering with the task manager, which in turn does not require tampering with the database server. With Windows, changing one area touches every single other part of the entire system, including some very large applications (because they are integrated with the kernel).

      2) Security releases are fast, furious, and focused. Only the affected pieces are replaced. When OpenSSL was compromised by Slapper, only OpenSSL was fixed. The fix didn't have to touch a hundred completely unrelated areas as happens when your entire kit and kaboodle (Windows) is tied together by spaghetti clusters. The fixes are released immediately after the vulnerability is discovered, and the full scope of the fix is detailed (parts are not hidden, as is the case with Windows). And the fixes, if anything was missed the first time, continue until the problem is erradicated.

      3) Full disclosure. The vulnerability is fully disclosed to the user base ASAP, and details provided to allow us to confirm the vulnerability. Since the vulnerable parts of the system are separate and distinct, fixing the individual parts can occur on a continuous basis. That is, not every affected component has to be fixed before other fixed pieces can be distributed.

      Not being a security type person, these are only things I can think of off the top of my head based on my own limited experience.

  18. Worm indicates massive back-end udp exposures? by pophop · · Score: 5, Interesting

    1. The worm was strictly based on UDP 1434 transfer
    I find it very difficult to believe major corporation firewalls would allow UDP 1434 inside from Internet. Some, maybe - but few.
    So: I rule our direct penetration from the Internet for most corporate environments.

    2. Worm was memory resident only. Reboot cleared it.
    Most user PC's would be rendered useless by the worm. CPU and local Network saturation would do that. So I doubt that people got infected and THEN VPN'ed into work. They would reboot, clear the worm, possibly get re-infected - but I doubt
    if they would be able to bring an already infected machine into work via VPN.

    Note: If split tunneling was allowed then it is quite possible for an already conencted home PC to act as a vector into a company - my guess
    is that this is NOT common.
    So: I rule out employee remote access as a primary vector.

    3. This leaves me with back-end connectivity across private "trusted" comm channels. ( i.e. Frame ) .
    I know this was a vector in at least one case - and the circumstances ( misconfigured ACL's that were overly generous in what UDP traffic they
    allowed from "trusted" business partners ) is something that I suspect is very common in large organizations.

    The speed which this thing moved ( see: http://isc.sans.org/port1434start.gif ) and the actual vectors I saw make me very suspicious that
    the large organizations of the world are massively linked by misconfigured routers/firewall that allow way too much UDP traffic flow between
    trusted partners - affectively a "fuse" linking the worlds computing infrastructures.

    That's it. Wacky and overly-speculative perhaps but I would be interested in getting some anonymous feedback about the successful attack vecors
    other people saw in the propagation of the worm - particularly people in large organizations that have large "private" comm networks.

    --
    "very like a whale..."
  19. Re:Stealth worm by chromatic · · Score: 5, Funny

    Cancelling a meeting decreases your productivity? Whoa.

    --
    how to invest, a novice's guide
  20. Re:Microsoft Responsible..... by Chester+K · · Score: 4, Interesting

    We need to put blame where blame belongs, and that is the company that orginated this faulty and shoddy product

    I disagree completely on the fact that holding Microsoft responsible would be a chilling precedent that would effectively squelch software development, because all software has bugs.

    Would you contribute to Open Source projects if you knew that any bug you write, no matter how obscure and unintentional, might become a liability to you? Would getting your name in the changelog of the kernel be worth putting your financial future at risk?

    Oh, and it doesn't matter who discovers the bug. Even if it's discovered before its exploited and you issue a patch for it (as Microsoft did in this case, I might add), you think the software author should still be held liable? Even thought you did your part and fixed the bug? Isn't it the sysadmin's fault at that point?

    --

    NO CARRIER
  21. How fast... by sean23007 · · Score: 4, Interesting

    Boy, how fast would everyone drop MS once and for all if this worm had been written to corrupt filesystems and/or destroy data? As it is, everyone will just try to patch their systems and whine a little bit, but at the end of the day they will still write out a check to Microsoft. Eventually, along will come a worm that will cripple Microsoft's ability to sell products any longer: when it becomes clear that using MS software is practically a guarantee that your data is vulnerable and could even be destroyed, Windows is finished; Microsoft is finished.

    --

    Lack of eloquence does not denote lack of intelligence, though they often coincide.
  22. Re:MS's own DBs were affected by Bedouin+X · · Score: 5, Informative

    They (MS) know better than anyone that applying an SQL Server hotfix is a royal pain in the ass. They just modified the initial Slammer vulnerability patch so that it has an installer. Before that you had to stop the server, backup the files, copy the new files manually into their respective directories, and then run a couple of queries in the query analyzer.

    This and MS's reputation for having to patch patches (sometime 2 or 3 times) is why people don't jump at the chance to apply one of those damn things. It took this incident for them to make installing a simple SQL Server hotfix less than a 25 minute job.

    I also downloaded SP3 4 times and every time I tried to run setup, I got a "setupsql.exe can not be found" error. I STILL don't have SP3 on my SQL server, but it's firewalled anyway so I'm not totally naked.

    --
    Dissolve... Resolve... Evolve...
  23. how about a slammer-cleaning worm... by GC · · Score: 4, Interesting

    Just how difficult is it to comeup with some code that goes about finding vulnerable machines, makes them invulnerable, and tries to spend a modest amount of it's time finding more vulnerable machines.

    Bring on the white-hat worms that actually fix problems, rather than cause them.

    Sure - ethics must be a problem, but there must be some slightly-un-ethical white hats out there ready to give this a go?